Menu
Reply
Highlighted
  • 3.51K
  • 203
  • 982
Sololobo
Wise owl
362 Views
Message 11 of 15
Flag for a moderator

Re: You have been infected by wannacry (email from Virgin)

VM got a mention in this article from The Register http://www.theregister.co.uk/2017/05/19/wannacrypt_warning_email_confusion/

 




It's What I Do.
I Drink and I
Remember Things.
0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
339 Views
Message 12 of 15
Flag for a moderator

Re: You have been infected by wannacry (email from Virgin)

I love how people go on and mention port 445 - incidentally, Virgin used to block it and the rest of the NETBIOS trio - until user pressure made them rethink this. Something along the lines of "I pay for access to the whole internet." as I recall.

445 is how the worm spreads internally once it gets onto a LAN, but more often than not it enters the LAN through other means like an infected email.

But the wannacry worm tries communicating with a specific URI over HTTP so it's easy for the security researchers to log traffic hitting the website.  But it does mean that people who visit the site out of curiosity end up getting a well-intentioned letter as a result.

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 242
  • 2
  • 47
LokiDog
Superfast
236 Views
Message 13 of 15
Flag for a moderator

Re: You have been infected by wannacry (email from Virgin)

I received a letter today saying a device on my network may be infected with wannacry.
None are.

I did visit the kill switch website the security guy purchased out of curiosity, so that clears it up.
0 Kudos
Reply
  • 1.42K
  • 154
  • 457
Superuser
Superuser
203 Views
Message 14 of 15
Flag for a moderator

Re: You have been infected by wannacry (email from Virgin)

When wannacry requests the kill switch domain the HTTP request header lacks the user-agent field; according to Cisco Umbrella | Blog. You may wish to query the report made to Virgin Media by Shadowserver to see if they filtered out such requests from their reports.

0 Kudos
Reply
  • 242
  • 2
  • 47
LokiDog
Superfast
200 Views
Message 15 of 15
Flag for a moderator

Re: You have been infected by wannacry (email from Virgin)

I'm assuming they just have a list of IP addresses that have visited.
0 Kudos
Reply